I have a FreeBSD box sitting at the end of a DSL line. This box is intended to eventually become my firewall, Web, and email host for my as-yet-unregistered vanity domain. I've read enough horror stories about boxes being r00t3d that I wasn't about to let mine get hijacked. As such, until I understand how to properly secure the box, I keep it powered off when I'm not actually fiddling with it.
Tonight, I was experimenting with getting my old (Cob-)Web site running under Zope on said box, so it had been up and running for several hours. I was doing most of the experiments through Mozilla on another machine. I popped back to the FreeBSD console, and saw something very worrying. Here's the entry from
Jan 20 21:20:07 www sendmail: g0L5K6b00493: ruleset=check_rcpt, arg1=<email@example.com>, relay=63-198-30-233.globaldatadotcom.com [188.8.131.52], reject=550 5.7.1 <firstname.lastname@example.org>... Relaying denied
Jan 20 21:20:07 www sendmail: g0L5K6b00493: from=<email@example.com>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=63-198-30-233.globaldatadotcom.com [184.108.40.206]
Thank $(GOD) FreeBSD's 'sendmail' comes configured out of the box to reject relay attempts, or things could have been bad for someone, not the least of which being me. A quick Google search revealed that the attempted relay rapist is one Richard "John" Scott, an unrepentant spammer, who even has a history of posing as a "regular" user and reporting competing spammers to abuse channels.
In the time I was tracking this one down, another, completely different, attempt arrived:
Jan 20 23:10:17 www sendmail: g0L7AHb00595: ruleset=check_rcpt, arg1=<Stop_Open_Relays@StopOpenRelays.com>, relay=30.muad.sttl.sttwa01r1.dsl.att.net [220.127.116.11], reject=550 5.7.1 <Stop_Open_Relays@StopOpenRelays.com>... Relaying denied
Jan 20 23:10:17 www sendmail: g0L7AHb00595: lost input channel from 30.muad.sttl.sttwa01r1.dsl.att.net [18.104.22.168] to MTA after rcpt
Jan 20 23:10:17 www sendmail: g0L7AHb00595: from=<Stop_Open_Relays@hotmail.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=30.muad.sttl.sttwa01r1.dsl.att.net [22.214.171.124]
What makes this particularly astounding to me is that the rape attempt was made on a machine without a DNS name -- just a bare IP number -- and that is turned off 99% of the time. That means these guys probably have roving portscanners that don't even confine their search to DNS MX records, but portscan every IP address they can find, and then make an immediate attempt to exploit it. (I dimly wonder if this constitutes a criminal intrusion attempt.)
This shows that my instinct to keep the box powered off was a good one. But I'm still absolutely floored that a new machine on the net could get attacked by parasites so quickly, especially when that machine has done nothing to draw attention to itself.
I'll be reading those security procedures double-close now. If you ever intend to run your own servers, you should, too.